Gentlemen ransomware uses multiple EDR killers to disable defenses
Gentlemen ransomware uses multiple EDR killers to disable defenses.
Summary
The Gentlemen ransomware-as-a-service (RaaS) is actively developing and deploying a suite of EDR killers, including a tool called GentleKiller with at least eight variants. These tools leverage the BYOVD technique to gain kernel-level privileges and disable security products from over 48 vendors. The group also incorporates external tools like HexKiller, ThrottleBlood, and HavocKiller for redundancy or specific scenarios.
Full text
Gentlemen ransomware uses multiple EDR killers to disable defenses By Bill Toulas June 18, 2026 06:31 PM 0 The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks. The gang employs a collection of EDR-killing tools, most notably a utility that researchers dubbed GentleKiller. The tool has at least eight variants and impersonates various legitimate security products, including Kaspersky, Valorant, Javelin, and WatchDog. The gang is using a suite of EDR killers, the most frequently used being a custom tool that researchers named GentleKiller, which has at least eight variants impersonating various legitimate products. An EDR killer is typically used to disable defenses in the early phases of an attack, and in ransomware incidents, they ensure that data theft or encryption processes run unencumbered. These tools work by leveraging the 'bring your own vulnerable driver' (BYOVD) technique to elevate privileges and disable security engines. According to ESET researchers, each GentleKiller variant uses different vulnerable drivers to achieve kernel-level privileges. However, they all share common strings, identical code obfuscation techniques, and similar process-killing logic and targeting scope. The analysis of the variants indicates that the framework is designed to allow easy driver swaps or weaponization of newly disclosed flaws without requiring major code changes. Variant names and drivers usedSource: ESET ESET states that GentleKiller targets more than 400 processes associated with approximately 48 security vendors/products, such as Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky. GentleKiller processSource: ESET The binaries for the EDR killer tool are protected by the commercial Enigma and Themida packing and code-protection tools. ESET notes that the threat actor also uses stolen digital signatures from legitimate software, although they are invalid. Although GentleKiller is a standardized tool used in Gentlemen ransomware attacks, ESET reports that the threat group's collection of EDR killers also incorporates at least three external tools: HexKiller, previously used by the Warlock gang ThrottleBlood, linked to MesudaLocker and DragonForce attacks HavocKiller, also seen in ransomware operations Gentleman RaaS may have added them for redundancy, attribution complexity, or for use in specific cases where the effectiveness of GentleKiller might be limited. Additionally, ESET documented the use of OxideHarvest, a Rust-based credential-stealer tool that the researchers believe, based on the programming language choice, was developed externally. The researchers' analysis indicates that Gentlemen ransomware picks targets based on the configuration of their FortiGate endpoints. This is particularly interesting given the recent discovery of “FortiBleed,” a collection of nearly 74,000 FortiGate VPN credentials. The Gentlemen RaaS previously compromised the Romanian energy provider Oltenia and has been linked to a SystemBC proxy malware botnet with over 1,570 hosts, believed to be corporate victims. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: AI-built ransomware toolkit automates EDR evasion, AD discoveryThe Gentlemen ransomware now uses SystemBC for bot-powered attacksRansomware gang abuses Microsoft Teams relays to hide malicious trafficUkrainian national pleads guilty to role in Conti ransomware operationAuthorities dismantle 'AudiA6' ransomware crypto-laundering service
Indicators of Compromise
- malware — GentleKiller
- malware — HexKiller
- malware — ThrottleBlood
- malware — HavocKiller
- malware — OxideHarvest
- malware — SystemBC